Double check Frida Detection

[cpholguera]

Verify which detection mechanisms are we already covering and which not:

https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/ https://github.com/darvincisec/DetectFrida

Evaluate if we should enhance the ones we already cover with some info from there. Or it'd be sufficient to just link to this page/repo as a useful resource.

Verify if we have custom code and update linking to the code in the repo. Maybe even link to the exact lines.

a. Detect through named pipes used by Frida b. Detect through frida specific named thread c. Compare text section in memory with text section in disk

[TheDauntless]

Since this is part of the cat & mouse game, shouldn't we simply list a few, and point the user to further resources?

[cpholguera]

Thanks @TheDauntless I could actually have been a bit more descriptive in the description of the issue. I've enhanced it. What do you think?

[cpholguera]

@julepka would you like to help us out here?

[julepka]

I was looking for a nice library to detect reverse engineering tools on Android and I've found exactly the same repos as mentioned here and in MSTG. I hope to test them when I have time to see if they are working. For example, I wanted to use https://github.com/darvincisec/DetectFrida but it has a couple of reported issues that doesn't sound good to me.

[cpholguera]

Sure! give it a try whenever you can and gladly report. If they're issues with DetectFrida we can contact @darvincisec, the author, maybe he'll help us out. He's already contributed before :)

[gabcarneiro]

Hi guys, im trying out the frida detection example made by Berdhard Mueller mentioned on the table here, and its just not working. Im running a frida-server (version 15.0.18) on a rooted device and its not beeing detected.

I'm thinking it might be an outdated solution, can you guys confirm this is still working? Should i open an issue?